Network Computingwww.networkcomputing.com

WinGate associates user names with IP addresses only for accounting purposes, either via GateKeeper, WinGate's client utility, or by setting up "Assumed Users." With GateKeeper, users must log into WinGate, where their current IP addresses will be associated with their user names. Using Assumed Users, any traffic arriving from a predefined IP address is automatically associated with a specific user. This approach is OK if you know users' IP addresses beforehand, but in the world of dynamic IP (via DHCP) or an ISP, this isn't a realistic option.

Think Globally, Act Locally We found the security and filtering configuration less straightforward than in the other two products we tested. Access control is set through system policy (filtering) tabs at either the global level or within individual services. Because WinGate is more than a simple proxy service, care should be taken when setting global access-control policies. Global policies will affect all services, such as the Socks 5 proxy, HTTP proxy, SMTP proxy, etc. For greater control, we preferred to set access control at a service level. You must decide where to set policies--either globally or service by service--or you'll have a tough time getting correct permissions. WinGate expects to act as a proxy, so it looks for a rule to pass incoming data, even if there are conflicting rules. Unfortunately, WinGate offers no easy way to view configured filtering rules.

To control access to Internet sites, WinGate can set up a Ban List, a simplified filtering system that lets you take one of two security positions: "everything not allowed is denied" or "everything not denied is allowed." You configure the Ban List by allowing access to entire sites, regardless of the service the user is attempting to use. For example, we configured our WinGate to deny access to zdnet.com. For finer control, you can set up access permissions via the Advanced tab in the Socks service. For example, we blocked access to ZDnet's FTP site but not its Web site (though in Netscape it shows up as a network error rather than an access denial).

WinGate offers an HTTP proxy service, which lets you simplify management by setting up the Socks 5 service to use the HTTP access policies for HTTP requests received through Socks. Instead of making the same rules in both services or forcing users to configure their browsers for proxy access, leveraging an existing HTTP ensures HTTP access is uniformly applied. Unlike Proxy Server, WinGate doesn't make users configure an HTTP proxy in their browsers--as long as their HTTP traffic is "socksified."

To authenticate any user against WinGate, you must use GateKeeper, which allows WinGate to relate incoming user names with IP addresses. Without GateKeeper, users are not authenticated and appear as guests on WinGate's management station. Unauthenticated users are tracked in a separate guest log.

We found WinGate's logging to be very thorough, offering varying levels of detail that can be set for both users and the service. WinGate keeps two separate logs, allowing users to correlate events between users and service statuses. The service log tracks service-specific information, such as access, configuration changes, start-and-stop status, and errors or service events. User logs track specific access, showing each separate proxy access on its own line. We liked the way WinGate's logging calculates access charges based on byte counts. Charges are calculated per file transfer and can easily be accumulated by a third-party program. The system can be configured to roll over logs at preset intervals for easier file management.

Unlike in Proxy Server, users show up in the management station as they access services through WinGate. Guests do, too, but only as long as they are actually using a service. This allows real-time monitoring of who's on the system. Unfortunately, Socks 5 user sessions are treated as dynamic, when in fact they are static.

Netscape Communications Corp. Netscape Proxy Server 3.5
Like WinGate, Netscape's Proxy Server is more than a Socks 5 server; it lets you proxy HTTP, FTP and Gopher connections. Proxy Server is easy to configure and manage, and offers the most intuitive, straightforward management interface among the products we tested. If you're comfortable building packet-filter rules, for example, configuring Socks 5 filtering will be a snap. Although we found initial connections to be somewhat slower than with either VPN Server or WinGate, we suspect this was due to Web caching, not server load.

Setting up filtering was a breeze. With Proxy Server, you just set the address fields, port numbers and configuration. After setting our "everything not allowed is denied" rule, we were pleased to see Proxy Server's packet-filter rules processed in the order they're entered (from top to bottom); when Proxy Server finds a match, it processes the connection. You have good control over the way connections are made, as packet filtering is hierarchical rather than driven by connection or service type.